Risk analysis is the process of assigning a risk status to the information system based on the information collected in the preceding steps. Threats that were analyzed according to their accompanying motivation level and capability level are paired up with matching vulnerabilities. These threat/vulnerability pairs are compared to protective security controls in order to determine how likely it is that an exploitation attempt will succeed.

Control Analysis
Analyze both planned controls and controls that are already implemented in order to determine the likelihood of a threat exercising a vulnerability

The checklist developed in the last section (Vulnerability Assessment) is used to analyze security controls.

Likelihood Determination
Take into consideration:

Threat source

Motivation

Capability to exploit a vulnerability

Security controls

Existence

Effectiveness at mitigation

Balance this information to create a likelihood rating of high, moderate, or low.

balancing risk

Impact Analysis
Impact levels are generally also rated at high, moderate, or low, but they may also include either qualitative or quantitative analysis. The analysis should consider criticality and sensitivity of the system and its data.

Risk Determination
By cross-referencing the determination of likelihood and the level of impact, an overall determination of risk to the system and the organization can be made.